From bdc96d33511d95a783ead5533b0d866b0a251aab Mon Sep 17 00:00:00 2001 From: misuzu Date: Wed, 3 Feb 2021 17:18:49 +0200 Subject: nixos/gitlab-runner: warn about possible secrets leak --- nixos/modules/services/continuous-integration/gitlab-runner.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix index 2c6d9530a6b..15c37c2bc76 100644 --- a/nixos/modules/services/continuous-integration/gitlab-runner.nix +++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix @@ -339,6 +339,9 @@ in CI_SERVER_URL=<CI server URL> REGISTRATION_TOKEN=<registration secret> + + WARNING: make sure to use quoted absolute path, + or it is going to be copied to Nix Store. ''; }; registrationFlags = mkOption { @@ -523,7 +526,10 @@ in }; }; config = mkIf cfg.enable { - warnings = optional (cfg.configFile != null) "services.gitlab-runner.`configFile` is deprecated, please use services.gitlab-runner.`services`."; + warnings = (mapAttrsToList + (n: v: "services.gitlab-runner.services.${n}.`registrationConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.") + (filterAttrs (n: v: isStorePath v.registrationConfigFile) cfg.services)) + ++ optional (cfg.configFile != null) "services.gitlab-runner.`configFile` is deprecated, please use services.gitlab-runner.`services`."; environment.systemPackages = [ cfg.package ]; systemd.services.gitlab-runner = { description = "Gitlab Runner"; -- cgit 1.4.1